----- Original Message -----
From: "Ken Marcus - Precision Web Hosting, Inc." kenmarcus (at mark) precisionweb.net
>
> In reading at http://se2.php.net/features.safe-mode
> I noticed the disable_functions option in the php.ini
>
> The example given was:
> disable_functions = shell_exec,exec,system,dbmopen,
> suexec,escapeshellcmd,show_source,escapeshellarg
>
>
> Anyone have any ideas on this?
> Would it be a good idea to add these or other directives to the php.ini
> (not the one used for the GUI but the php.ini used for the sites) ?
>
>
>
I know... I'm replying to my own email.
I think a better list would be:
disable_functions="dl,phpinfo,shell_exec,passthru,exec,popen,system,proc_get_status,proc_nice,proc_open,proc_terminate,proc_close"
If you want to know what malicious hackers can do an interesting excercise
is to get the
http://mgeisler.net/php-shell/ and load it on one of the sites you host.
Then see what other sites you can access on your server.
If you don't have safe mode enabled, and are not using the
disable_functions, and are not using something like mod_security, then using
the php shell to so something like the commands below would be easy.
grep -r password /home/sites/www.someothersite.com/web/
ls -la /home/sites/www.someothersite.com/web/
And, if you allow FTP to non admin accounts on a site, then it's easy for
hackers to find stupid user accounts like user test pass test, upload a php
script to them, and go from there.
----
Ken Marcus
Ecommerce Web Hosting by
Precision Web Hosting, Inc.
http://www.precisionweb.net